Fun with code, tests, and verification
description
Transcript of Fun with code, tests, and verification
Fun with code, tests, and verification
K. Rustan M. LeinoResearch in Software Engineering (RiSE)Microsoft Research, Redmond Caltech
Pasadena, CA12 November 2009
Software engineering researchGoal
Better build, maintain, and understand programs
How do we do it?SpecificationsTools, tools, tools
Program semanticsVerification-condition generation, symbolic execution, model checking, abstract interpretation, fuzzing, test generationSatisfiability Modulo Theories (SMT)
Some specification/verification tools at Microsoft
Static Driver Verifier (SDV)Applied regularly to all Microsoft device drivers of the supported device models, ~300 bugs foundAvailable to third parties in Windows DDK
SageApplied regularly100s of people doing various kinds of fuzzing
HAVOCHas been applied to 100s of KLOC~40 bugs in resource leaks, lock usage, use-after-free
PexTest generation, uses Code ContractsApplied to various libraries components
VCCBeing applied to Microsoft Hypervisor
…
Spec# programming system[Barnett, Fähndrich, Leino, Müller, Schulte, Venter, et al.]Research prototype
Spec# languageC# 2.0 + non-null types + contracts
Checking:Static type checkingRun-time checkingStatic verification
Chunker
Spec#
demo
Reasoning about programsHoare triple { P } S { Q } says that
every terminating execution trace ofprogram S that starts in a state satisfying P
does not go wrong, andterminates in a state satisfying Q
Assignments{ } x := E { Q }
Examples:{ } x := y { x is even }{ } x := x + 1 { x < 100 }{ }x := 3*y{ x*x + 5*x = 721 }
Q[E/x]
y is even x < 99 9*y*y + 15*y = 721
LoopsTo prove:
{ P } while B do S end { Q }find a loop invariant J and prove:
invariant holds initially:P Jinvariant is maintained:{ J B } S { J }invariant is strong enough to establish postcondition:J B Q
Cubes
Spec#
demo
Chalice[Leino, Müller, Smans]
Experimental language with focus on:Shared-memory concurrencyStatic verification
Key featuresMemory access governed by a model of permissionsSharing via locks with monitor invariantsDeadlock checking, dynamic lock re-orderingChannels
Other featuresClasses; Mutual exclusion and readers/writers locks; Fractional permissions;Two-state monitor invariants;Asynchronous method calls; Memory leak checking;Logic predicates and functions; Ghost and prophecy variables
Inc
Chalice
demo
Transfer of permissionsmethod Main(){
var c := new Counter;call c.Inc();
}
method Inc()requires acc(y)ensures acc(y)
{y := y + 1;
}
acc(c.y)
Shared stateWhat if two threads want write access to the same location?
method A() …{
y := y + 21;}
method B() …{
y := y + 34;}
class Fib {var y: int;method Main(){var c := new
Fib;fork c.A();fork c.B();
}}
acc(c.y) ?
Monitorsmethod A() …{
acquire this;y := y + 21;release this;
}
method B() …{
acquire this;y := y + 34;release this;
}
class Fib {var y: int;
invariant acc(y);method Main(){var c := new
Fib;share c;fork c.A();fork c.B();
}}
acc(c.y)
acc(y)
Monitor invariantsLike other specifications, can hold both permissions and conditionsExample: invariant acc(y) && 0 <= y
acc(y)
Boogie – a verification platform[Barnett, Jacobs, Leino, Moskal, Rümmer, et al.]Spec#
C with HAVOC
specifications
DafnyC with VCC specificatio
nsChalice
Z3Simplify
SMT Lib
Boogie
Isabelle/HOL
Encoding object-oriented programs in BoogieBoogie
demo
StringBuilder.Append Method (Char[ ], Int32, Int32)Appends the string representation of a specified subarray of Unicode characters to the end of this instance.
public StringBuilder Append(char[] value, int startIndex, int charCount);Parametersvalue
A character array.startIndex
The starting position in value.charCount
The number of characters append.Return Value
A reference to this instance after the append operation has occurred.Exceptions
Exception Type Condition
ArgumentNullException value is a null reference, and startIndex and charCount are not zero.
ArgumentOutOfRangeException charCount is less than zero.-or-startIndex is less than zero.-or-startIndex + charCount is less than the length of value.
Specifications: .NET today
Specifications in Spec#public StringBuilder Append(char[] value, int startIndex, int charCount ); requires value == null ==> startIndex == 0 && charCount == 0; requires 0 <= startIndex; requires 0 <= charCount; requires value != null ==> startIndex + charCount <= value.Length; ensures result == this;
Specifications with Code Contracts[Barnett, Fähndrich, Grunkemeyer, Logozzo, et al.]public StringBuilder Append(char[] value, int startIndex, int charCount ){ Contract.Requires(value != null || (startIndex == 0 && charCount == 0)); Contract.Requires(0 <= startIndex); Contract.Requires(0 <= charCount); Contract.Requires(value == null || startIndex + charCount <= value.Length); Contract.Ensures(Contracts.Result<StringBuilder>() == this);
// method implementation...}
Note that postcondition is declared at top of method body, which is not where
it should be executed.A rewriter tool moves
these.
(.NET 4.0)
TrimSuffix
Code Contracts and Pex [Tillman & de Halleux]
demo
Try it for yourselfSpec# (open source):http://specsharp.codeplex.comVCC (open source):http://vcc.codeplex.comBoogie, Chalice, Dafny (open source):http://boogie.codeplex.comCode Contracts:http://research.microsoft.com/contractsPex: http://research.microsoft.com/pexRiSE: http://research.microsoft.com/rise